Recently active topics

This message originated from Cribl Community Slack.Click here to view the original link.Hello community, is there a Cribl Cloud API endpoint I can hit to add multiple CIDR Ranges to the Workspace --> Access Control List? I have been scanning the API documentation for such an endpoint.

This message originated from Cribl Community Slack.Click here to view the original link.This may be a silly question, but regarding the Azure Event Hub source, let's say I have to restart my Stream workers or otherwise take them down briefly for maintenance. Once they come back up, they'll just resume the data ingestion where they left off, right? Do I need to do anything "special" to make sure it keeps track of where it needs to pick back up reading data?

This message originated from Cribl Community Slack.Click here to view the original link.I know that Cribl added the ability to include Source and Destinations in the Pack. I was looking at using this, and I can see in the routing that there is an option "Send to Worker Group routes". How do I actually access this data in the Worker Group routes?

This message originated from Cribl Community Slack.Click here to view the original link.Quick question.. Whats the simplest way to get the cribl audit logs from the leader node to a destination. The docs say the audit logs are written to the leader node logs dir; but i need to send these to a custom destination

This message originated from Cribl Community Slack.Click here to view the original link.I am using Cribl Cloud and have configured a REST Collector that stores a value named 'latestLoginTime' in state management. Should I be able to access that in a preprocessing pipeline using the following syntax? It doesn't appear to be present. __state.latestLoginTime

This message originated from Cribl Community Slack.Click here to view the original link.For setting up a trust with AWS in cribl cloud stream is there a global eternal id to provide to AWS or is it collector by collector?

This message originated from Cribl Community Slack.Click here to view the original link.Hi Team. I am trying to onboard Fortinet firewall logs in Cribl with UDP port 514. I am not receiving data in Cribl, I have asked the Fortinet team to route to different UDP port such as 1514 or 5514. But the team wants to send the data only in 514 port in UDP. Is it possible to onboard the data from Fortinet with UDP port 514?

This message originated from Cribl Community Slack.Click here to view the original link.Hi, I have an on prem stream single instance and i want to install Cribl edge on several servers to collect and forward logs to this stream instance. In this case what is the right architecture here? Can this Cribl stream single instance act as a leader for the edge nodes? or they require a separate leader ? If i install edge as a single instance on each machine i wish to collect from, does it consume a lot of resources? or should i install a separate leader node and all edge nodes connect to it?

This message originated from Cribl Community Slack.Click here to view the original link.Hi :wave: Apologies if this has been solved, I haven't been able to find anything using Slack's search option. The scenario is that we have a REST endpoint that we need to call to download a report with data, but in order to download the right report we need to first query a slightly different endpoint to get the last report ID. :sigh: Cribl's REST can do OAuth -> API call just fine, but then I need to store the returned value in a global variable so that the second REST call can look it up and use it. Not pretty, it's what we have. So the question is, is there an internal call that can perform an update of a global variable, or a REST/HTTP call that I can set as the destination to do this? The CoPilot AI says I can use /lib/vars/ endpoint to do this, however I can't find that endpoint in the API docs. The second problem I've run into is that there doesn't appear to be a REST destination that I c

This message originated from Cribl Community Slack.Click here to view the original link.Hi team, I’m configuring a Cribl File Monitor source to ingest multiple files under the same path, but it looks like only the first file in the list is actually being ingested. Has anyone run into this behaviour before? Max Depth is unlimited.Links for this message:Screenshot 2026-03-06 at 12.55.56 PM.png

This reference architecture shows one Cribl Stream deployment possibility for sending data to a mix of analytics tools and data lakes. Data is processed by a mix of Cribl-managed/PaaS (platform as a service) and hybrid Worker Groups, all coordinated by a Cribl.Cloud Leader with failover. The multiple Worker Groups are organized functionally, by Destination type. One Cribl-managed Group in Cribl.Cloud is reserved for on-demand replay from data lakes.Comprehensive hybrid Cribl.Cloud reference architectureDownload an editable version of this diagram in  or draw.io format. Download Cribl stencils here.This architecture shows Cribl.Cloud Leaders with a mix of Cribl-managed and customer-managed (hybrid) Workers. For a fully on-prem alternative, see the Cribl Full Suite Reference Architecture. Division of LaborCribl.Cloud maintains high-availability Leader infrastructure on your behalf.Cribl.Cloud also maintains secure copies of the Leader’s configurations for all Worker Groups (Cribl-managed

This reference architecture shows one Cribl Stream deployment possibility for sending data to a diverse mix of destinations, such as data centers, while minimizing data egress costs. The multiple Worker Groups might be organized functionally, or by geographic location.Comprehensive reference architectureDownload an editable version of this diagram in  or draw.io format. Download Cribl stencils here.This architecture shows on-prem Worker Groups and primary/standby Leaders. For a Cribl.Cloud-centric alternative, see Hybrid Cloud Data Architecture. Division of LaborIn this architecture, you manage all components.You also manage a remote Git repo. You manage commit, push, deploy, and backup operations through the Cribl Leader.The Replay Worker Group can be on-demand, and provisioned when heavy replays are planned. General Sizing ConsiderationsSize based on data throughput (in+out), and on number of incoming TCP connections. Destination ConsiderationsAdjust Destinations’ Advanced Settings &

This reference architecture shows one Cribl Stream deployment possibility for ingesting data from a large quantity of agents. Here, a single basic configuration is replicated across multiple Worker Groups, organized by geographic location.Multiple agents reference architectureDownload an editable version of this diagram in  or draw.io format. Download Cribl stencils here. Single or Multiple Worker Groups?The multiple-Groups architecture shown here is one approach. It might or might not be desirable for your use case.Pros of using multiple Worker Groups:Configuration granularity. Can use Packs to export/reuse configurations across Groups.Cons of using multiple Worker Groups:Multiple configurations to maintain (even if shared via Packs). General Sizing ConsiderationsSize based on data throughput (in+out), and on number of incoming TCP connections. Sizing ExamplesBelow are two scenarios demonstrating how to determine the number of Stream Worker Processes you’ll need to allocate. Both scen

This reference architecture shows one possibility for ingesting and replaying diverse data types from multiple senders. The Sources shown at left are just representative examples. The replay workers at right could be hosted on Linux servers, in Kubernetes Pods, etc.Unified Ingest & Replay with Cribl StreamDownload an editable version of this diagram in  or draw.io format. Download Cribl stencils here. Sizing ConsiderationsAn all-in one Worker Group works best with fewer than 2000 Sources (agents, syslog senders, and so forth).Syslog over TCP should be under 200 GB/day from any one sender. Account for up to 50% bursts in traffic. Load BalancersThe load balancer in front of the Leader UI can be an Application Load Balancer or a Network Load Balancer.The load balancer between the Cribl Workers and the Cribl Leader listening on port 4200 must be a Network Load Balancer or equivalent. Leader High AvailabilityConfiguring Leader high availability requires a standby server, a load balancer

The Cribl Syslog Source is Cribl’s most commonly used input type. Cribl Stream can act as your edge and/or central syslog server, giving you more capability while easing management tasks. Cribl Stream can scale to handle your syslog data volume, and can queue data to a disk buffer to help ensure its delivery.This reference architecture starts with a syslog overview, then outlines tested practices for deploying Cribl Stream as a syslog server to collect syslog data from multiple geographic regions. It also covers tuning the server, along with broader guidance toward optimizing a high-performance syslog platform.Syslog/Cribl Stream reference architectureDownload an editable version of this diagram in  or draw.io format. Download Cribl stencils here. Syslog OverviewA widely used protocol, syslog is the de facto standard way to deliver log events. Many apps and systems offer syslog as a delivery option, and nearly every SIEM and search tool accepts syslog as an input. It’s the lowest commo

To guide you in designing and optimizing your Cribl implementation, this page outlines topology and connections for the full suite of Cribl products. You’ll find details about the components of the management, control, and data planes, and about the communication protocols that Cribl products use to interoperate. High-Level Example ArchitectureThis diagram summarizes possible relationships and connections among all Cribl products. To foreground Cribl Search and Cribl Lake options, it assumes a Cribl.Cloud Leader as the control plane.The hybrid Stream Worker Groups represent zero to many customer-managed Groups, deployed on-prem or in private clouds.Full-suite reference architectureDownload an editable version of this diagram in  or draw.io format. Download Cribl stencils here. Notes About the DiagramThis is an abstract, example architecture incorporating several Cribl components. Arrows indicate the flow of events, logs, metrics, and/or traces. A teal dashed outline indicates a resourc

Want to bring your existing Cribl configs into Terraform? This new workflow lets you export your current setup and turn it into reusable, version-controlled IaC. https://docs.cribl.io/cribl-as-code/terraform-migrate-resources/Highlights:• Export existing configs directly to Terraform• Make your Cribl environments repeatable and auditablePerfect for anyone looking to standardize and scale their deployments

 Hi,I would like advise seek advise regarding the CC Admin-Edge Final Review Lab. I have a task that keeps failing to clear.  I'm unsure which step I may have missed out. Please see details and screenshots below Task 11: Add Mask function to obfuscate VISA, Mastercard, and Discover credit cards numbersTask 11 InstructionsMask Function, Masking Rules createdMatch Regex and Replace Expression for Visa, Mastercard and Discover Applied to fields _raw from captured Sample Data Masking rules for VisaMatch Regex and Replace Expression Sample input/output results from captured sample data Masking rules for MastercardMatch Regex and Replace Expression Sample input/output results from captured sample dataMasking rules for DiscoverMatch Regex and Replace Expression Sample input/output results from captured sample data 

Search - This pack helps display worker groups, routes, pipelines, packs, and Edge Node Statistics (top 10 by bytes in and by events in) in one location View Pack

As of March 18, 2026, FinOps Center dashboards and invoices are fully restored and available. No action is required.If you have any questions, please reach out to your account team or contact us through our Support Portal. 

Search - This pack helps display worker groups, routes, pipelines, packs, and Edge Node Statistics (top 10 by bytes in and by events in) in one location View Pack

Search - Analyze Zscaler Logs View Pack

Search - Profile search usage by user, type, credits, and more based on internal Cribl logs View Pack

Search - Analyze Zscaler Logs View Pack

I need to open a support case